The documentation on the nix.conf sandbox option says that it requires Nix to run as root and that I need to use build-users-group accordingly.

The problem is, I have a single-user (Darwin) install, so I don't have any nix builder users, nor would I want them as the nix store is owned by my user account. The documentation on build-users-group says if it's unset it uses the uid of the Nix process, which is presumably not what I want (as that would be root, but I don't want to have root-owned paths in my nix store).

What I'd really like to see is some documentation somewhere of how to use sandbox with a single-user install. I'm trying to write up a PR for a package right now but I need to make sure that it works under the sandbox (e.g. I need to make sure any tests in the package aren't using the network).